Smart card systems, such as patient card systems, should primarily serve the interests of the user/patient. The person-related medical data of a person stored on the patient card is particularly sensitive and hence worth protecting. In addition patients are often in a very weak state and are not in a position to deal positively with their protection. Consequently, laws and agreements must be adopted in order to set in place the legal and technical framework which will support the patient in protecting these sensitive cards.
Chip cards (smart cards) normally offer all the necessary control mechanisms with which the data in the non-volatile storage on the chip are protected. On one hand, the chip is effectively protected against physical access from outside, on the other hand an operating system monitors all accesses to the data and rejects attempts to read and/or write if the user cannot be authenticated and/or cannot enter a PIN. The chip thus prevents the protected data being read from outside through its data lines. Because of their recognized high security, chip cards are employed as identification systems primarily in the financial area.
The optical storage of the optical memory chip card uses the known technology employed in CDs and CD-ROMs. Because of its high storage capacity it is well suited to the storage of large amounts of data. It is, however, a disadvantage of this storage, that it provides no physical protection for the data. Anyone who has a reader is able to read the data. In spite of this, the data can be protected logically in that the data can be stored in encoded form. The coding of the data is also known under the technical term "cryptography".
The problem with all symmetrical encryption procedures is the confidential distribution of the decryption key between the parties involved. The greater the number of parties who wish to communicate with one another, the more insurmountable the problem of key management becomes. It would be easy to solve if all participants were to use the same key. However, this would mean that every one of them could read what two participants had encrypted between them and, in the event of a successful access from outside to this one key, the whole system would be open. If each participant were to have his own key, successful access to a key would be limited to the information which is sent to and received by one key holder. The other keyholders remain protected.
The problem of key exchange is even more problematical when it involves not just one sender and several receivers, that is, a 1-to-N relationship, but an n-to-N relationship. For example, every doctor may be the sender of information and any other authorized doctor must be able to read it. As already stated, the doctors should in no case have to agree to a key which is usable throughout the whole system before they can communicate. On the other hand, the participating doctors cannot all be expected to exchange their keys with one another beforehand.
European Patent EP 0668 578 describes a memory and selective information system for the transfer of sensitive data comprising an optical memory card, on which a spatially defined storage field for the exclusive storage of a plurality of codes arranged so as to have at least one for each key access, at least one read/write device for the optical memory card with a plurality of key-recognition functions, where each key recognition function points to each of a plurality of formatting functions contained in the read/write device and activates the latter in conjunction with the code assigned to each, where each formatting function points to a data storage field of the optical card and qualifies the data stored thereon for reading on the basis of the formatting data. One disadvantage of this process is that there is a key region and a data region on the optical storage medium. Two separate accesses to the optical storage medium are therefore necessary in order to read the key and the data. The process described in EP 0668 578 uses fixed keys, i. e. keys are predetermined in accordance with a particular procedure by the system. The read/write device is an important constituent for the decision as to which key should be used. This depends on the code, the formatting functions and the decision functions. Usually the present process is limited only to optical storage media.